mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Remove some deprecated ocsp/ssl base scripts
This commit is contained in:
Tim Wojtulewicz
parent
765a8535e0
commit
6130d32440
10 changed files with 1 additions and 215 deletions
2
doc
2
doc
|
|
@ -1 +1 @@
|
|||
Subproject commit 189dddc9e80cf3649672e491a5d89e200d3248f6
|
||||
Subproject commit f2607e2fab4f83062bc7b3a35bb5f4a7993521c8
|
||||
|
|
@ -1 +0,0 @@
|
|||
@deprecated("Remove in v5.1. OCSP logging is now enabled by default")
|
||||
|
|
@ -1,56 +0,0 @@
|
|||
@deprecated "Remove in v5.1. Use log-certs-base64.zeek instead."
|
||||
|
||||
##! This script is used to extract host certificates seen on the wire to disk
|
||||
##! after being converted to PEM files. The certificates will be stored in
|
||||
##! a single file, one for local certificates and one for remote certificates.
|
||||
##!
|
||||
##! .. note::
|
||||
##!
|
||||
##! - It doesn't work well on a cluster because each worker will write its
|
||||
##! own certificate files and no duplicate checking is done across the
|
||||
##! cluster so each node would log each certificate.
|
||||
##!
|
||||
|
||||
@load base/protocols/ssl
|
||||
@load base/files/x509
|
||||
@load base/utils/directions-and-hosts
|
||||
|
||||
module SSL;
|
||||
|
||||
export {
|
||||
## Control if host certificates offered by the defined hosts
|
||||
## will be written to the PEM certificates file.
|
||||
## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
|
||||
option extract_certs_pem = LOCAL_HOSTS;
|
||||
}
|
||||
|
||||
# This is an internally maintained variable to prevent relogging of
|
||||
# certificates that have already been seen. It is indexed on an sha1 sum of
|
||||
# the certificate.
|
||||
global extracted_certs: set[string] = set() &read_expire=1hr &redef;
|
||||
|
||||
event ssl_established(c: connection) &priority=5
|
||||
{
|
||||
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
|
||||
! c$ssl$cert_chain[0]?$x509 )
|
||||
return;
|
||||
|
||||
if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
|
||||
return;
|
||||
|
||||
local hash = c$ssl$cert_chain[0]$sha1;
|
||||
local cert = c$ssl$cert_chain[0]$x509$handle;
|
||||
|
||||
if ( hash in extracted_certs )
|
||||
# If we already extracted this cert, don't do it again.
|
||||
return;
|
||||
|
||||
add extracted_certs[hash];
|
||||
local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem";
|
||||
local outfile = open_for_append(filename);
|
||||
enable_raw_output(outfile);
|
||||
|
||||
print outfile, x509_get_certificate_string(cert, T);
|
||||
|
||||
close(outfile);
|
||||
}
|
||||
|
|
@ -1,106 +0,0 @@
|
|||
@deprecated("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")
|
||||
|
||||
@load base/protocols/ssl
|
||||
|
||||
module CertNotary;
|
||||
|
||||
export {
|
||||
## A response from the ICSI certificate notary.
|
||||
type Response: record {
|
||||
first_seen: count &log &optional;
|
||||
last_seen: count &log &optional;
|
||||
times_seen: count &log &optional;
|
||||
valid: bool &log &optional;
|
||||
};
|
||||
|
||||
## The notary domain to query.
|
||||
option domain = "notary.icsi.berkeley.edu";
|
||||
}
|
||||
|
||||
redef record SSL::Info += {
|
||||
## A response from the ICSI certificate notary.
|
||||
notary: Response &log &optional;
|
||||
};
|
||||
|
||||
# The DNS cache of notary responses.
|
||||
global notary_cache: table[string] of Response &create_expire = 1 hr;
|
||||
|
||||
# The records that wait for a notary response identified by the cert digest.
|
||||
# Each digest refers to a list of connection UIDs which are updated when a DNS
|
||||
# reply arrives asynchronously.
|
||||
global waitlist: table[string] of vector of SSL::Info;
|
||||
|
||||
function clear_waitlist(digest: string)
|
||||
{
|
||||
if ( digest in waitlist )
|
||||
{
|
||||
for ( i in waitlist[digest] )
|
||||
SSL::undelay_log(waitlist[digest][i], "notary");
|
||||
delete waitlist[digest];
|
||||
}
|
||||
}
|
||||
|
||||
event ssl_established(c: connection) &priority=3
|
||||
{
|
||||
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
|
||||
! c$ssl$cert_chain[0]?$sha1 )
|
||||
return;
|
||||
|
||||
local digest = c$ssl$cert_chain[0]$sha1;
|
||||
|
||||
if ( digest in notary_cache )
|
||||
{
|
||||
c$ssl$notary = notary_cache[digest];
|
||||
return;
|
||||
}
|
||||
|
||||
SSL::delay_log(c$ssl, "notary");
|
||||
|
||||
local waits_already = digest in waitlist;
|
||||
if ( ! waits_already )
|
||||
waitlist[digest] = vector();
|
||||
waitlist[digest] += c$ssl;
|
||||
if ( waits_already )
|
||||
return;
|
||||
|
||||
when [digest] ( local str = lookup_hostname_txt(fmt("%s.%s", digest, domain)) )
|
||||
{
|
||||
notary_cache[digest] = [];
|
||||
|
||||
# Parse notary answer.
|
||||
if ( str == "<???>" ) # NXDOMAIN
|
||||
{
|
||||
clear_waitlist(digest);
|
||||
return;
|
||||
}
|
||||
local fields = split_string(str, / /);
|
||||
if ( |fields| != 5 ) # version 1 has 5 fields.
|
||||
{
|
||||
clear_waitlist(digest);
|
||||
return;
|
||||
}
|
||||
local version = split_string(fields[0], /=/)[1];
|
||||
if ( version != "1" )
|
||||
{
|
||||
clear_waitlist(digest);
|
||||
return;
|
||||
}
|
||||
local r = notary_cache[digest];
|
||||
r$first_seen = to_count(split_string(fields[1], /=/)[1]);
|
||||
r$last_seen = to_count(split_string(fields[2], /=/)[1]);
|
||||
r$times_seen = to_count(split_string(fields[3], /=/)[1]);
|
||||
r$valid = split_string(fields[4], /=/)[1] == "1";
|
||||
|
||||
# Assign notary answer to all records waiting for this digest.
|
||||
if ( digest in waitlist )
|
||||
{
|
||||
for ( i in waitlist[digest] )
|
||||
{
|
||||
local info = waitlist[digest][i];
|
||||
SSL::undelay_log(info, "notary");
|
||||
info$notary = r;
|
||||
}
|
||||
delete waitlist[digest];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -67,7 +67,6 @@
|
|||
@load files/unified2/__load__.zeek
|
||||
@load files/unified2/main.zeek
|
||||
@load files/x509/disable-certificate-events-known-certs.zeek
|
||||
@load files/x509/log-ocsp.zeek
|
||||
@load frameworks/packet-filter/shunt.zeek
|
||||
@load frameworks/software/version-changes.zeek
|
||||
@load frameworks/software/vulnerable.zeek
|
||||
|
|
@ -129,13 +128,11 @@
|
|||
@load protocols/ssh/software.zeek
|
||||
@load protocols/ssl/decryption.zeek
|
||||
@load protocols/ssl/expiring-certs.zeek
|
||||
# @load protocols/ssl/extract-certs-pem.zeek
|
||||
@load protocols/ssl/heartbleed.zeek
|
||||
@load protocols/ssl/known-certs.zeek
|
||||
@load protocols/ssl/log-certs-base64.zeek
|
||||
@load protocols/ssl/ssl-log-ext.zeek
|
||||
@load protocols/ssl/log-hostcerts-only.zeek
|
||||
#@load protocols/ssl/notary.zeek
|
||||
@load protocols/ssl/validate-certs.zeek
|
||||
@load protocols/ssl/validate-ocsp.zeek
|
||||
@load protocols/ssl/validate-sct.zeek
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
# Scripts which are commented out in test-all-policy.zeek.
|
||||
@load protocols/ssl/decryption.zeek
|
||||
@load protocols/ssl/notary.zeek
|
||||
@load frameworks/control/controllee.zeek
|
||||
@load frameworks/control/controller.zeek
|
||||
@load frameworks/management/agent/main.zeek
|
||||
|
|
@ -12,7 +11,6 @@
|
|||
@load frameworks/files/extract-all-files.zeek
|
||||
@load policy/misc/dump-events.zeek
|
||||
@load policy/protocols/conn/speculative-service.zeek
|
||||
@load policy/protocols/ssl/extract-certs-pem.zeek
|
||||
|
||||
@load ./example.zeek
|
||||
|
||||
|
|
|
|||
|
|
@ -1,9 +1,2 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
### NOTE: This file has been sorted with diff-sort.
|
||||
warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:15 "Remove in v5.1. Use log-certs-base64.zeek instead."
|
||||
warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from command line arguments "Remove in v5.1. Use log-certs-base64.zeek instead."
|
||||
warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:70 ("Remove in v5.1. OCSP logging is now enabled by default")
|
||||
warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:70 ("Remove in v5.1. OCSP logging is now enabled by default")
|
||||
warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. OCSP logging is now enabled by default")
|
||||
warning in <...>/notary.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:5 ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")
|
||||
warning in <...>/notary.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")
|
||||
|
|
|
|||
|
|
@ -1,27 +0,0 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEfDCCA+WgAwIBAgIQBKeBFvADKDvaK4RiBJ+eyzANBgkqhkiG9w0BAQUFADCB
|
||||
ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy
|
||||
aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy
|
||||
dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg
|
||||
SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w
|
||||
NjExMTQwMDAwMDBaFw0wNzExMTQyMzU5NTlaMIHAMQswCQYDVQQGEwJERTEPMA0G
|
||||
A1UECBMGQmF5ZXJuMREwDwYDVQQHFAhNdWVuY2hlbjE3MDUGA1UEChQuQUdJUyBB
|
||||
bGxpYW56IERyZXNkbmVyIEluZm9ybWF0aW9uc3N5c3RlbWUgR21iSDEzMDEGA1UE
|
||||
CxQqVGVybXMgb2YgdXNlIGF0IHd3dy52ZXJpc2lnbi5jb20vcnBhIChjKTAwMR8w
|
||||
HQYDVQQDFBZ3d3cuZHJlc2RuZXItcHJpdmF0LmRlMIGfMA0GCSqGSIb3DQEBAQUA
|
||||
A4GNADCBiQKBgQDrqHR+++O06r6LHD3t6oYEYlHgKlqehm+Yy7zF7cXIyladTJJY
|
||||
4WsTb7y35S6YQPeP1qPACqtGUhs4/AUg54Duxl3VuwP8xYO6mmcI/Sy6owiU8LMf
|
||||
Fij2BWZbv3+oWfq+mWs2YrhuxoNHU2MPWrRRwYioVbnUMW09KkqVCtF7hwIDAQAB
|
||||
o4IBeTCCAXUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRgYDVR0fBD8wPTA7oDmg
|
||||
N4Y1aHR0cDovL2NybC52ZXJpc2lnbi5jb20vQ2xhc3MzSW50ZXJuYXRpb25hbFNl
|
||||
cnZlci5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIB
|
||||
FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMCgGA1UdJQQhMB8GCWCGSAGG
|
||||
+EIEAQYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEF
|
||||
BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0GCCsGAQUFBwEMBGEwX6Fd
|
||||
oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU
|
||||
SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0G
|
||||
CSqGSIb3DQEBBQUAA4GBAC9z4m/BniN+WVCJlXhv6QS9mFRTYOwIUtIKKZKabarV
|
||||
sWfBYt7JGE5XPWmcsgNmkgO76E3FmNQvQtm20uCXEFh2z+fWp8y72yXuQl3L8HSr
|
||||
0lTl6LpRD6TDPjT6UvKg5nr0j9x2Qr09/HjAt+teLR/FoF7foBGH+MNYEMh5KPjk
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -16,7 +16,6 @@
|
|||
|
||||
@load base/protocols/ssl
|
||||
@load base/files/x509
|
||||
@load protocols/ssl/extract-certs-pem
|
||||
|
||||
module SSL;
|
||||
|
||||
|
|
@ -48,11 +47,6 @@ export {
|
|||
client_dh_Yc: string &log &optional;
|
||||
client_ecdh_point: string &log &optional;
|
||||
};
|
||||
|
||||
## Control if host certificates offered by the defined hosts
|
||||
## will be written to the PEM certificates file.
|
||||
## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
|
||||
redef extract_certs_pem = ALL_HOSTS;
|
||||
}
|
||||
|
||||
event ssl_established(c: connection) &priority=5
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
# @TEST-EXEC: zeek -b -r $TRACES/tls/ssl.v3.trace %INPUT
|
||||
# @TEST-EXEC: btest-diff certs-remote.pem
|
||||
|
||||
@load protocols/ssl/extract-certs-pem
|
||||
|
||||
redef SSL::extract_certs_pem = ALL_HOSTS;
|
||||
Loading…
Add table
Add a link
Reference in a new issue